15.7.Â Nagios in a MAC Jail

This section demonstrates the steps that are needed to
implement the Nagios network
monitoring system in a MAC environment. This
is meant as an example which still requires the administrator to
test that the implemented policy meets the security requirements
of the network before using in a production environment.

This example requires multilabel to be set
on each file system. It also assumes that
net-mgmt/nagios-plugins,
net-mgmt/nagios, and
www/apache22 are all installed, configured,
and working correctly before attempting the integration into the
MAC framework.

15.7.1.Â Create an Insecure User Class

Begin the procedure by adding the following user class
to /etc/login.conf:

This policy enforces security by setting restrictions on
the flow of information. In this specific configuration,
users, including root, should never be
allowed to access Nagios.
Configuration files and processes that are a part of
Nagios will be completely self
contained or jailed.

This file will be read after running
setfsmac on every file system. This
example sets the policy on the root file system:

15.7.4.Â Loader Configuration

And the following line to the network card configuration
stored in /etc/rc.conf. If the primary
network configuration is done via DHCP,
this may need to be configured manually after every system
boot:

maclabel biba/equal

15.7.5.Â Testing the Configuration

First, ensure that the web server and
Nagios will not be started on
system initialization and reboot. Ensure that root cannot access any of the
files in the Nagios configuration
directory. If root
can list the contents of
/var/spool/nagios, something is wrong.
Instead, a “permission denied” error should be
returned.

Double check to ensure that everything is working
properly. If not, check the log files for error messages. If
needed, use sysctl(8) to disable the mac_biba(4)
security policy module and try starting everything again as
usual.

Note:

The root user
can still change the security enforcement and edit its
configuration files. The following command will permit the
degradation of the security policy to a lower grade for a
newly spawned shell:

#setpmac biba/10 csh

To block this from happening, force the user into a
range using login.conf(5). If setpmac(8) attempts
to run a command outside of the compartment's range, an
error will be returned and the command will not be executed.
In this case, set root to
biba/high(high-high).